Many teams lack spend controls

A governance snapshot circulating among artificial intelligence teams says most agent deployments still run without basic logging or security controls, leaving spending and audits hard to track. (x.com) The figure in that thread was about 81% of teams, and the missing controls were basic ones: records of what an agent did, what tools it called, and which model or vendor handled the work. OpenAI’s production guidance says teams should log request identifiers in production, and its enterprise compliance tooling is built to export logs and metadata into security and legal review systems. (x.com) (developers.openai.com) (help.openai.com) An agent is software that can take actions on its own, such as searching, drafting, or calling other applications, so one bad setting can multiply both cost and risk across many steps. Microsoft’s agent governance guidance says organizations need policies across data governance, compliance, and security before agents spread across teams. (learn.microsoft.com) The regulatory pressure is no longer theoretical. The European Commission says the Artificial Intelligence Act entered into force on August 1, 2024, with penalties applying from August 2, 2025, and most of the Act’s rules and enforcement beginning on August 2, 2026. (commission.europa.eu) (ai-act-service-desk.ec.europa.eu) (artificialintelligenceact.eu) Under Article 99, the top tier of European Union fines can reach 35 million euros or 7% of global annual turnover for banned practices, with lower tiers of 15 million euros or 3% for other obligations and 7.5 million euros or 1% for misleading information. At recent exchange rates, 35 million euros is roughly $39 million, so posts citing about $47 million are directionally pointing to the Act’s upper-fine regime rather than a fixed dollar cap in the law. (ai-act-service-desk.ec.europa.eu) (artificialintelligenceact.eu) The thread also pointed to “governed memory,” which means keeping control over what an agent remembers, where that memory is stored, and who can change or delete it. Google Cloud said in its Recommended AI Controls framework that standard compliance checks often miss how autonomous systems access data and act across the full life cycle. (x.com) (cloud.google.com) Vendor changes are another weak point because model names, retirement dates, and pricing can move while the agent keeps running. Anthropic’s documentation tells customers to check deprecation notices regularly and export usage by API key and model so they can find old integrations before shutdown dates. (platform.claude.com) Google’s Vertex AI documentation now lists dated shutdown schedules for partner models, including Claude 3 Haiku deprecating on February 23, 2026 and shutting down on August 23, 2026. OpenAI’s API site also advertises billing and usage alerts as enterprise controls to avoid overages. (docs.cloud.google.com) (openai.com) United States guidance is less prescriptive than the European Union law, but it points in the same direction. The National Institute of Standards and Technology says its Artificial Intelligence Risk Management Framework is meant to help organizations govern, map, measure, and manage artificial intelligence risks across the system life cycle. (nist.gov) The practical gap is simple: if a team cannot show which model ran, what data it touched, what tools it used, and who approved the setup, it will struggle to explain a surprise bill or an audit request. That is the hole these governance threads are describing. (x.com 1) (x.com 2)